Contents

Overview of ACE Connection Handling

This article describes how the ACE handles connections at Layer 4 (L4) and Layer 7 (L7). For L4 connections, the ACE receives a TCP packet from a client and load balances the connection to a server on the first packet (see Figure 1). The SYN-ACK from the server matches an existing flow and the rest of the connection is handled in the fast path (hardware accelerated path in the network processors), which is represented here as "shortcut." The ACE completes the TCP handshake . This process applies to the following functions:

Basic load balancing

Source IP sticky

TCP/IP normalization

Figure 1. Layer 4 Flow Setup

For L7 flows (for example, L7 load balancing, URL parsing, and generic TCP payload parsing), the ACE acts as a proxy (spoofs the server), intercepts the client's VIP request that matches an L7 rule, and terminates the TCP connection. See Figure 2. The ACE sends a SYN-ACK to the client in response to the client's TCP SYN. The client responds with an ACK to complete the TCP handshake and an L7 request method (for example, HTTP GET or POST).

Figure 2. Layer 7 Flow Setup -- Client Connection

After the ACE receives the L7 information (for example, HTTP GET), it sets up the back-end connection to the real server based on the load-balancing method and other criteria. See Figure 3.

Figure 3. Layer 7 Flow Setup -- Server Connection

Finally, the ACE unproxies the connection with the client and splices it together with the back-end connection to the server. For the life of the HTTP flow, the client communicates directly with the server through the fast path (hardware-accelerated path in the network processors), which is depicted in the figures as "Shortcut." See Figures 4.

Figure 4. Layer 7 Flow Setup -- Splicing the Flows Together

Figure 5 shows how the ACE adjusts the sequence numbers and ACK numbers when it splices the two flows together.

With the persistence rebalance (connection keepalive) command configured, the ACE reproxies and parses subsequent HTTP 1.1 requests over the same TCP connection. In this case, the ACE again spoofs the server and ACKs the HTTP GET as shown in Figure 6. The sequence shown in Figure 2 through Figure 5 repeats for each new HTTP 1.1 request over the same TCP connection.

Figure 6. Layer 7 Flow Setup -- Reproxy

For SSL termination, TCP server reuse, application protocol inspection, and HTTP 1.1 pipelining, the ACE fully terminates the client TCP connection. This connection remains fully proxied because the ACE is acting on behalf of the real server. For SSL termination, the ACE completes an SSL handshake after it establishes the TCP connection with the server. See Figure 7.

Figure 7. SSL Handshake

For SSL termination, TCP server reuse, application protocol inspection, and HTTP 1.1 pipelining, the client and server connections are completely independent and flows are handled in the software, not in the fast path. See Figure 8.

Figure 8. Layer 7 Flow Setup -- Full Proxy

Internal Mapping of ACE TCP and UDP Flows

The ACE maps TCP and UDP flows as two halves of the same flow: one input flow and one output flow. You can display the current connections in the ACE by entering the show connections command. See Figure 8.

Figure 8. Internal Flow Mapping

ACE Connection Table Entries

Understanding ACE’s Conn Table Entries During:

L4 TCP Connection Setup (3 Way Handshake)

Normalisation Enabled

Normalisation Disabled

L7 TCP Connection Setup (3 Way Handshake)

TCP Connection Teardown

3 Way Handshake

4 Way Handshake

Reset

Tracking Connections Through the ACE

You can display the IDs for the request and response connections in the ACE by entering the following command:

Troubleshooting Connections

To troubleshoot suspected connectivity issues, follow these steps:

1. Check the ACL hit count by entering the show access-listacl_name command. If the hit count is increasing, go to Step 2. Otherwise, verify that the access list is configured properly to permit traffic.

2. Check the service policy hit count by entering the show service-policy detail command. If the hit count is 0, verify that the service policy is active (show service-policy command) and the server farm is up (show server-farm detail command). If the service policy is large, use the show service-policypolicy_namesummary command for more information as follows:

3. Check the load-balancing statistics by entering the show stats loadbalance command. If the Layer 4 or Layer 7 rejections or the Layer 4 or Layer 7 policy misses are increasing, check the configured class maps for any misconfiguration.

ACE_module5/Admin# show stats connection
+------------------------------------------+
+------- Connection statistics ------------+
+------------------------------------------+
Total Connections Created : 628950
Total Connections Current : 7
Total Connections Destroyed: 389
Total Connections Timed-out: 3958
Total Connections Failed : 624596 <------- Server did not reply to a SYN within the pending timeout period or it replied with a RST

The Total Connection Failed counter increases when the ACE cannot set up the back-end connection with the server. To clear the statistical information stored in the ACE buffer, enter the clear stats connection command.

6. Display service policy statistics by entering the following command: